Cisco ise 1.1.4 no open radius port
Hi,
I have a big issue with my ise appliance configured with the last version, which is 1.1.4
I have configured one network device but she doesn't want communicate with ise. The radius communication doesn't works.
In fact, we see when we do "sh ports" on the ise that the radius port are not open.
I ever installed one ise appliance in 1.1.3 and it works.
A idea ????? please
thanks for advanced
Hi,
Can you post the output of your show ports? Also is this in a distributed setup or is this a standalone node.
here are the port information on my psn -
udp: 10.250.250.183:58626, 10.250.250.183:1812, 10.250.250.183:1813, 10.250.250.183:1700, 0.0.0.0:60599, 10.250.250.183:3799, 10.250.250.183:1645, 10.250.250.183:1646,
From my admin node -
10.250.250.185:1700, 10.250.250.185:3799, 10.250.250.185:64217, 0.0.0.0:20057, 0.0.0.0:50140
If this is a standalone node, can you go to the deployment section and make sure that all checkboxes are selected, in particular the third box "Policy Service"
Tarik Admani
*Please rate helpful posts*
Similar Messages
-
Cisco ISE with both internal and External RADIUS Server
Hi
I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
I will like to know if it is possible to configure it and how I can do it ?
Thanks in advance for your help
Regards
BlaiseCisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same. -
Cisco ISE throws "11036 The Message-Authenticator RADIUS attribute is invalid "
Hello,
I am trying to authenticate my server(running an NMS) with an Cisco ISE with EAP-TLS protocol.
I am seeing "11036 The Message-Authenticator RADIUS attribute is invalid " in the ISE when the ACCESS-REQUEST is sent from NMSServer to ISE. The RADIUS shared secret key is same in both the NMS server and the ISE server .
Is the some java samples for Message authenticator attribute which I can refer. I think, I am missing something in Message authenticator attribute.
Any pointers or suggestions to overcome this ?To login to Prime GUI, the authentication will be done by ISE.
The flow goes like this, Admins will login to Prime GUI with default username/pwd and add the RADIUS/ISE details to it which will be used by prime for authentication/authorization.
Once its done, any other user who tries to login to Prime GUI with their own credentials will be validated against the Identity details in ISE. So even to login to Prime GUI, authentication should be successful in ISE. -
Cisco ISE: External RADIUS Server
Hi,
I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".
So, how can I use this external RADIUS server to process my request ?
Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)
If anyone use this, please suggest this to me.
Thanks,
PongsatornDefining an External RADIUS Server
The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.
The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.
To create an external RADIUS server, complete the following steps:
Step 1 Choose Administration > Network Resources > External RADIUS Servers.
The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
Step 2 Click Add to add an external RADIUS server.
Step 3 Enter the values as described:
•Name—(Required) Enter the name of the external RADIUS server.
•Description—Enter a description of the external RADIUS server.
•Host IP—(Required) Enter the IP address of the external RADIUS server.
•Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
•Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
•Key Encryption Key—This key is used for session encryption (secrecy).
•Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
•Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)
–ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
–Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
•Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
•Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
•Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
•Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.
Step 4 Click Submit to save the external RADIUS server configuration. -
Is OpenLdap supported by Cisco ISE 1.2?
When I try "Test bind to server" I get results so the connection seems fine. However when I set up the policies for a basic wlan with wpa2 authentication it says "Invalid password". When I put my username in the attributes folder it finds my id so I'm sure the link is working fine.Cisco ISE always uses the primary LDAP server to obtain groups and attributes for use in authorization policies from the Admin portal, so the primary LDAP server must be accessible when you configure these items. Cisco ISE uses the secondary LDAP server only for authentications and authorizations at run time, according to the failover configuration.
Cisco ISE retains a list of open LDAP connections (including the binding information) for each LDAP server that is configured in Cisco ISE. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.
If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection. After the authentication process is complete, the connection manager releases the connection.
Please check the below link which can helpful for you:
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ui_reference_administration.html#wpxref71565 -
Cisco ISE appliance IMM/ILO port, is it useable?
The Cisco ISE 33xx appliances (IBM servers) have management ports in them. Are these actually useable and supported by Cisco for any support operation?
It is usable but not supported by Cisco. I also think this is a licenses feature from the manufacturer. You may want to open a tac case to get more details on this.
Thanks,
Tarik Admani
*Please rate helpful posts* -
Hello,
Cisco ISE user guide suggests that all 4 ports can be assigned IP addresses and that's that. No suggestions such as if the all ports should be on different VLANs or if the ports can be bundled, hence saving IP address space. I have read the book by ISE expert Aaron Woland and no suggestions either.
On a Standalone ISE, as soon as I configured Gi1 with a different IP subnet from Gi0, I lost GUI access. So my questions are as follows:
1. Can all 4 ports be bundled
2. If no bundling and all 4 ports are assigned IP addresses, can they be on different IP subnets, whether Standalone or Distributed personas. For example a PSN with 4 ports. Gi0 - 10.0.10.x, Gi1 - 172.16.5.x, Gi2 - 172.16.8.x, Gi - 10.2.5.x
ThanksThe ISE log detailed steps are as follows:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12501 Extracted EAP-Response/NAK requesting to use EAP-TLS instead
12500 Prepared EAP-Request proposing EAP-TLS with challenge
12625 Valid EAP-Key-Name attribute received
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
5411 No response received during 120 seconds on last EAP message sent to the client -
Hi!!
We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
Thanks and regards!!Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365 -
Dear guys,
I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
No Accounting Start. (I have configured accouting on Switch 2960).
Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
I would greatly appreciate any help you can give me in working this problem.
Have a nice day,
Thanks and Regrads,Sorry for late reply.
Here is my switch config.
Current configuration : 8630 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Switch
boot-start-marker
boot-end-marker
no logging console
enable password ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
aaa server radius dynamic-author
client A.B.C.D server-key keystrings
aaa session-id common
system mtu routing 1500
vtp mode transparent
ip dhcp snooping
ip device tracking
crypto pki trustpoint TP-self-signed-447922560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-447922560
revocation-check none
rsakeypair TP-self-signed-447922560
crypto pki certificate chain TP-self-signed-447922560
certificate self-signed 01
xxxxx
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 139,153,401-402,999,1501-1502
interface FastEthernet0/11
switchport access vlan 139
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer inactivity 180
authentication violation restrict
mab
interface FastEthernet0/12
switchport access vlan 139
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 139
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
interface GigabitEthernet0/1
switchport mode trunk
interface GigabitEthernet0/2
interface Vlan1
no ip address
interface Vlan139
ip address E.F.G.H 255.255.255.0
ip default-gateway I.J.K.L
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit icmp any any
permit tcp any host A.B.C.D eq 8443
permit tcp any host A.B.C.D eq 443
permit tcp any host A.B.C.D eq www
permit tcp any host A.B.C.D eq 8905
permit tcp any host A.B.C.D eq 8909
permit udp any host A.B.C.D eq 8905
permit udp any host A.B.C.D eq 8909
deny ip any any
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
ip radius source-interface Vlan139
snmp-server community keystrings RW
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host A.B.C.D version 2c keystrings mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
line vty 5 15
end
My switch version is
WS-2960 12.2(55)SE5 C2960-LANBASEK9-M
I would greatly appreciate any help you can give me in working this problem. -
Hello,
Running ISE 1.2.1 Patch 1, we get following error message: "12929 NAS sends RADIUS accounting update messages too frequently" on all NAS Devices (i.e. C-4500s running SPA.03.04.00.SG.151-2.SG.bin).
There was a previous post on this forum (RE: https://supportforums.cisco.com/discussion/11894006/ise-12-wlc-5508-nas-sends-radius-accounting-update-messages-too-frequently) that stated that the "aaa accounting update newinfo" command doesn't solve this problem even though bug CSCuh01760 "Misconfigured NAS criteria needs to be changed" is resolved in ISE 1.2.1 as per the release notes.
Could you please advise us on that to do now? Thank you.
Regards.For the WLC side:
1. You are probably hitting this bug CSCug14713
2. You can also change the "Interim Update" located under the SSID > Security AAA Servers
For the Switch side:
1. You might be hitting this bug:CSCuh01760
2. Make sure that you have the following command in your config "aaa accounting update newinfo"
Thank you for rating helpful posts! -
Cisco ISE with TACACS+ and RADIUS both?
Hello,
I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
BobHello Robert,
I believe NO, they both won't work together as both TACACS and Radius are different technologies.
It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
For your reference, I am sharing the link for the difference between TACACS and Radius.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
Moreover, Please review the information as well.
Compare TACACS+ and RADIUS
These sections compare several features of TACACS+ and RADIUS.
UDP and TCP
RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
TCP transport offers:
TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
TCP is more scalable and adapts to growing, as well as congested, networks.
Packet Encryption
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
Authentication and Authorization
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
Multiprotocol Support
RADIUS does not support these protocols:
AppleTalk Remote Access (ARA) protocol
NetBIOS Frame Protocol Control protocol
Novell Asynchronous Services Interface (NASI)
X.25 PAD connection
TACACS+ offers multiprotocol support.
Router Management
RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
Interoperability
Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
Traffic
Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do). -
Configuring Cisco ISE for Authorization with External Radius Server attribute
Hi,
I'm trying to integrate an external radius server with Cisco ISE.
I created an External Identity Store>Radius Token Server.
I created a Identity Store sequence with just one identity store just as creadted above.
And I was able to authenticate successfully.
But when it comes to authorization.
I observed we just have one tab named Authorization while creating Radius Token server.
And it always refers to ACS:attribute_name.
If I want to define a IETF radius attribute, (lets say class with attribute id as 25), how could I do it.
In Cisco ACS we have a direct entry option in authorization tab where we can define the radius (IETF) attribute within Radius token server creation (within radius token server>Directory attribute tab).
How ever I try to define the IETF attribute here (class,IETF:Class) I am not able to authorize with this attribute value.
I tried with just one single authorization rule where it could hit.But observed it to go the default(as none of the rules defined matches the condition).
Can anyone guide me how can we define a IETF radius attribute for authorization within Cisco ISE and what policy could we set it to work as authorization.
Thanks in advance
Senthil KThis is the step of Creating and Editing RADIUS Vendors
To create and edit a RADIUS vendor, complete the following steps:
Step 1 From the Administration mega menu, choose Resources > RADIUS Vendors.
The RADIUS Vendors page appears with a list of RADIUS vendors that ISE supports.
Step 2 Click Create to create a new RADIUS vendor or click the radio button next to the RADIUS vendor that
you want to edit and click Edit.
Step 3 Enter the following information:
• Name—(Required) Name of the RADIUS vendor.
• Description—An optional description for the vendor.
• Vendor ID—(Required) The Internet Assigned Numbers Authority (IANA)-approved ID for the
vendor.
• Vendor Attribute Type Field Length—(Required) The number of bytes taken from the attribute value
to be used to specify the attribute type. Valid values are 1, 2, and 4. The default value is 1.
• Vendor Attribute Size Field Length—(Required) The number of bytes taken from the attribute value
to be used to specify the attribute length. Valid values are 0 and 1. The default value is 1.
Step 4 Click Submit to save the RADIUS vendor. -
Hi,
Is the following possible:
- let the ISE do the authentication and then proxy to another radius server which does the authorization.
At the moment we have a freeradius server that does the following:
1) authenticates 802.1x requests (eap-tls)
2) during authorization the server checks an external database that determines the vlan that should be returned (in radius attribute) based on originating switch and/or mac address.
I am checking if I can migrate to ISE but then the above would have to work.
For MAB I can easily do authentication/authorization on freeradius so I will proxy MAB requests to there.
regards
ThomasISE acts as a RADIUS proxy server by proxying the requests from a network access device (NAD) to a RADIUS server. The RADIUS server processes the request and returns the result to Cisco ISE. Cisco ISE then sends the response to the NAD
FYI
you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same. -
WLC RADIUS attribute with Cisco ISE
Hi All,
Does anyone get the same result as me when integrating Cisco ISE with Wireless LAN Controller ?
My Authentication Policy :
Name: IsGuestAuthen
IF "WLC_Authentication" THEN "Default Network Access" > "Internal Users"
My Authorization Policy :
Name: IsGuestAuthen
IF "Guest" THEN "InternetOnly"
When I monitoring on the Live Authentication page, I can see only the MAC address and a guest account that authenticated. I cannot see the IP address of the guest client. Do you get the same result as me ?
Please advise on how to get the IP address of the guest client to show on the Live Authentication Page.
Thanks,
Pongsatorn ManeesudExactly...here is the list of attributes sent in the access-request from the wlc -
http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129
The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.
If you are up to speed on rest api's here is some reference material on this:
http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826
You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.
Thanks,
Tarik Admani
*Please rate helpful posts* -
Radius Health Check - Cisco ISE
I have one Cisco ISE setup with AD authentication. I want to configure radius helth check how it can be confiured on switches.
Best Regards,For example if we have too many authentications per second, more than what the PSN Specifications are designed for. In such cases we've to distribute the radius load to other PSN’s. You can also run Catalog report to draw a graph of Radius latency per PSN instance under Operations>Catalog>Server Health Summary> Last 7 days> PSN Hostname.
This will only give you a trend of radius latency but not the reasons why. You need to go through logs of the concerned PSN to find out whats going on the PSN. Certainly Radius latency greater than 3 Seconds is concerning. In such scenarios we have to download the support bundle and analyse the logs.
Cisco ISE Dashboard Monitoring
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_mnt.html#wp1226014
Jatin Katyal
- Do rate helpful posts -
Maybe you are looking for
-
Dragged folder to slideshow - folder disappeared
Hi, yesterday i tried to drag a folder with 7 albums and drop it on an empty slideshow, because i thought i can add the pictures this way. But unfortunately i did not work and the folder disappeared from view. I got no error or anything, but i cannot
-
Why can I not download any apps?
Why can't I download apps on my iPhone 5s? Please help. I click on install and them the circle appears for 2 seconds and then disappears. Please reply ASAP.
-
This is for my Dad - he has an iPad2 with the latest iOS version and the latest iTunes on his machine. He is trying to sync his calendar to the iPad - it was working, but something got messed up and now he's getting an error message when he tries to
-
Trying to update ipad to iOS 5, but itunes is not letting me.
I synched up my ipad to itunes and backed things up. I went to the iPad tab and click the update button, but every time I do, it tells me that iTunes 10.3 is the current version. I'm not trying to update itunes, im trying to update my ipad! I don't k
-
How can i define a column for a password in a table? Seek help here, thanks in advance Maz